5 p.m.
Il giorno gio 26 mar 2020 alle ore 16:53 Peter Schober <
peter.schober at univie.ac.at> ha scritto:
the
Good to know!
I never thought that a signature could be too much computational intensive
but, it could be so.
Not sure I follow about Shibboleth conventions
First time I saw that ShibIdP don't require any signature by default on authnRequest I though <<Ok, it's the
accessibility/security trade-off
!>>.
The only reason to sign authn requests is if they contain something
extra the SP doesn't want to be removed (in transit) and replaced with
an authn request without it, maybe forceAuthn or authn context class
refs or something like that.
For ordinary authn requests the IDP must already validate the
requested ACS URL (from the SAML spec), which of course is done using
metadata obtailed securely out of band.
So in the common case signing an authn request does not provide any
added security but it does expose the SP to trivial DoS attacks.
(A note to those who thing "signing" makes everything more secure,
forgetting about the availability aspect of IT security.)
Seems I have a lot to learn, when really I should be
learning about
the application I need to integrate...
Curiosity works like an engine
____________________
Dott. Giuseppe De Marco
CENTRO ICT DI ATENEO
University of Calabria
87036 Rende (CS) - Italy
Phone: +39 0984 496961
e-mail: giuseppe.demarco at unical.it